How to craft a custom AWS CloudWatch Read-Only policy tailored for a specific log group, including permissions for Logs Insights?
I was use this code it's working in the log groups dashboard but the Logs insights dashboard i getting some error i was attached below code and screen shoot.
The code : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource": "" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:StartQuery", "logs:StopQuery", "logs:GetQueryResults", "logs:GetLogGroupFields" ], "Resource": "arn:aws:logs:ap-south-1:744096931876:log-group:/aws/lambda/Password-generate:" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "*" } ] }
- Newest
- Most votes
- Most comments
Hello.
I modified the policy as follows.
I have included all the policies used by CloudWatch Logs Insights, so it will probably work.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeQueryDefinitions",
"logs:DescribeQueries"
"logs:GetLogEvents",
"logs:StopQuery",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:StartQuery",
"logs:GetQueryResults",
"logs:GetLogGroupFields"
],
"Resource": "arn:aws:logs:ap-south-1:744096931876:log-group:/aws/lambda/Password-generate:*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
Relevant content
- Accepted Answerasked 9 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 15 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
